I am trying to scan pure .java files using Fortify static code analysis and frequently getting an error message saying that I have not included the complete list of jars.
"The following references to java classes could not be resolved. Please make sure to supply all the required jar files that contain these classes to SCA."
My question is would it affect the scan results? And is this warning to be taken seriously? (because my scan is going on nevertheless ;)
Thinking about this from first principles rather than knowledge of the product or of your application:
Presumably Fortify will scan the code it can see, so it will return some useful results. However as it can't see all the code it can't do a complete job.
I don't know how clever Fortify can be, what does it do about things such as abstract factories? Such design patterns effectively can make run-time determination of which classes are actually used, hence you can get radically different application behaviours depending upon which jars are available.
Bottom line: given that your app can be run somewhere, why can you not get all the JAR files together to give Fortify a chance to do a more complete job?
You can get a partial scan and results, but some issues may be totally missed and/or given a lower risk . If your code calls functions in the JAR files, SCA cannot follow the dataflow into and out of the functions. Therefore those data paths go into a black hole and no results are returned.
It is always best to have no warnings and code that will compile to scan.
